With added support for Linux, Mac, and Windows along with the introduction of support for WS-Federation, Novell is moving toward tighter integration with more enterprise applications.

Novell is expanding its access management solution today with the addition of new
federation options, new client support and new functionality that monitors clients to
ensure compliance with security policy, similarly to Network Access Control (NAC).

Novell's new Access Manager 3.1 release comes as the market for access control
solution continues to heat up with IBM, CA, Oracle ramping up
their own solutions. The new release also borrows from Novell's partnership with
Microsoft, which plays a key role in the interoperability of the two companies'
wares.

"The goals of designing Access Manager is about how do we simplify the management and
deployment of securing access to web as well as enterprise applications," Lee Howarth,
product manager for identity and security at Novell, told InternetNews.com.

A chief addition to the product is improved support for federation -- a mechanism by
which users can be authenticated across different security domains -- through its support
of WS-Federation, a specification developed by many of the major players in enterprise
identity federation, including Novell. Getting WS-Federation into Access Manager adds
compatibility with key business applications, and in particular, Microsoft's SharePoint
collaboration suite.

"One of the key differences of adding WS-Federation is its providing more value than
just single sign-on across organizational boundaries," Howarth said. "This is now
providing a business value."

"If you've got lot of different identity stores across your organization, and you need
to provide access to outside business partners, it can become difficult to manage
identities," he added.

With Access Manager 3.1, Howarth explained that once Access Manager has authenticated
a user, it doesn't matter whether they are listed in eDirectory, iPlanet, Active
Directory or any other compliant identity store -- they can now get single sign-on
through to Microsoft SharePoint without having to manage individual identities' from the
SharePoint identity store.

"The way it works is we transform the identity ... into claims," Howard said, adding
that those, in turn, interoperate with Active Directory Federation Services (ADFS),
Microsoft's implementation of WS-Federation.

As part of the technical collaboration, Novell Access Manager integrates with Windows
CardSpace, a technology included in Microsoft's Windows Vista operating system that
securely stores and transmits personal identities.

The pair's joint work also comes into play with the open source Bandit identity management
framework, which aims to create an identity fabric for the Web, unifying disparate
silos of identity management.

As a result, Access Manager 3.1 can both accept and create cards that can be used
wherever CardSpace identities are accepted. Howarth added that Novell, though the Bandit
project, also has created CardSpace clients for Mac and Linux.

Cross-platform compatibility is also an area where Access Manager has improved its
included
SSL VPN. The VPN provides secure remote access and now has clients available that
will work on Linux, Mac and Windows.

To NAC or Not to NAC?

Access Manager 3.1 also delivers client integrity checking that will identify whether
an endpoint has the proper security in place. Howarth added that integrity checking now
also occurs continuously, so that if a firewall is disabled for some reason, the Access
Manager client will identify that the associated endpoint is out of compliance.

The approach to pre-connect endpoint integrity checking is similar to what network
access control (NAC) technologies offer, though Howarth noted that Access Manager 3.1
isn't exactly the same. Novell also offers a NAC product called
ZENworks Network Access Control solution, which debuted in September 2008.

"It's not specifically related to the Access Manager technology, although we have been
exploring where we could use NAC policies in general," he said. "We haven't the key
pieces that we want just yet."

Howarth argued that Access Manager is about user identity, as opposed to just network
security policy.

"By the fact that you're actually authenticating to Access Manager, it means we know
who you are," Howarth said. "And we provide mapping capabilities, so we can get you into
any other service that is using one of tee supported specifications."